Channels

Services

Mozilla disables older versions of Java plug-in in Firefox

Even installing the latest update leaves an old version of the plugin behind.
According to security expert Brian Krebs, Mozilla has started disabling the older versions of the Java Deployment Toolkit plug-in in its Firefox web browser. In a post on his blog, Krebs says that Mozilla is likely just attempting to "block attacks against a newly-discovered Java security hole that attackers have been exploiting of late to install malicious code."

Last week, Oracle released Java 6 Update 20 to patch critical vulnerabilities in the Java Deployment Toolkit and in the new Java Plug-in – both of which were already being exploited in the wild. By default, installing Java automatically installs the Java Deployment Toolkit plug-in into Microsoft's Internet Explorer and Mozilla's browsers, such as Firefox and the SeaMonkey "all-in-one internet application suite". However, one issue that remains is the fact that Java updates often leave older, vulnerable versions of the plug-in installed in Firefox. Even uninstalling Java itself can actually leave the plug-in behind. Version 6.0.200.2 of the plug-in reportedly addresses the vulnerability issues.

Users with older versions of the plug-in should automatically receive a prompt to disable the JDT plug-in. Alternatively, users can manually disable the Java Deployment Toolkit modules under Tools / Add-ons / Plug-ins. The latest stable release of Firefox is version 3.6.3 from the beginning of April.